b'National Aeronautics and Space Administration\nOffice of Inspector General\nWashington, DC 20546-0001\n\n\n\n\n                                      January 30, 2014\n\nTO:          Larry N. Sweet\n             NASA Chief Information Officer\n\n\nFROM:        Paul K. Martin\n             Inspector General\n\n\nSUBJECT: Review of NASA\xe2\x80\x99s Agency Consolidated End-User Services Contract\n         (IG-14-013)\n\n\nIn December 2010, NASA awarded the Agency Consolidated End-User Services (ACES)\ncontract to HP Enterprise Services (HP) to provide desktop computers, laptops, mobile\ndevices, printers, and other computing equipment as well as end-user services, such as a\nhelp desk and data backup, to NASA employees and contractors. The ACES contract is a\nfirm fixed price, indefinite-delivery/indefinite-quantity contract with a maximum value of\n$2.5 billion. The 4-year contract runs from November 2011 through October 2015, after\nwhich NASA may extend the contract under two, 3-year options. With the ACES\ncontract, NASA moved from a Center-based end-user services delivery model under\nwhich the individual Centers had greater control over products and services to a centrally\nmanaged, Agency-wide end-user services model. By adopting this enterprise model for\nits most common information technology (IT) services, NASA hoped to save money and\nenhance the security of its IT systems through leveraging economies of scale and\nstandardizing institutional IT architecture.\n\nHowever, NASA and HP have encountered significant problems implementing the ACES\ncontract, including a failed effort to replace most NASA employees\xe2\x80\x99 computers within the\nfirst 6 months and low customer satisfaction. Given that NASA is halfway through the\nbase contract period, it must soon decide whether to exercise the first 3-year option or end\nthe contract after the base period and find another way to obtain these critical IT services.\n\nThe ACES contract requires that prior to exercising an option to extend the contract, the\nAgency\xe2\x80\x99s Contracting Officer must determine that doing so is the most advantageous\nmethod of fulfilling NASA\xe2\x80\x99s IT requirements. To support that determination, the Office\nof the Chief Information Officer (OCIO) and the Contracting Officer must analyze option\n\x0c  prices, HP\xe2\x80\x99s performance, current market conditions, advances in technology, and other\n  programmatic factors. This analysis must allow sufficient time for NASA officials to\n  pursue appropriate alternative approaches with minimal impact to the Agency in terms of\n  technical, cost, or schedule risk should they conclude the best path forward is not to\n  extend the ACES contract.\n\n  The Office of Inspector General (OIG) initiated an audit of the ACES contract in April\n  2013 to determine whether the contract is improving employee end-user services,\n  realizing cost savings and other efficiencies, and meeting Agency mission requirements.\n  However, given that the time is fast approaching for NASA to decide whether to extend\n  the ACES contract or seek other options, we are truncating our audit work and issuing\n  this memorandum to enable NASA to consider the issues we identified during the course\n  of our review. In light of the criticality of the IT services provided under the ACES\n  contract, NASA\xe2\x80\x99s decision on how to move forward will directly affect NASA\xe2\x80\x99s more\n  than 17,000 employees and thousands of contractors.\n\nExecutive Summary\n  NASA\xe2\x80\x99s lack of adequate preparation prior to deploying the ACES contract together with\n  HP\xe2\x80\x99s failure to meet important contract objectives has resulted in the contract falling\n  short of Agency expectations. We attribute these shortcomings to several factors,\n  including a lack of technical and cultural readiness by NASA for an Agency-wide IT\n  delivery model, unclear contract requirements, and the failure of HP to deliver on some\n  of its promises. In general, these issues fall into two categories: (1) issues related to the\n  Agency\xe2\x80\x99s overall IT governance and (2) management and problems specific to the ACES\n  contract.\n\n  NASA Not Prepared for an Enterprise-wide IT Approach. Moving from a\n  Center-managed IT services contract to a centrally managed enterprise-wide end-user\n  services delivery model required a cultural transition at NASA. Based on our previous\n  work and work for this review, we found the transition has been difficult and remains\n  incomplete. As noted in our June 2013 audit report, NASA\xe2\x80\x99s current IT governance\n  model is ineffective, overly complex, and not suitable for managing an Agency-wide IT\n  environment.1 Implementing an enterprise delivery model within a historically\n  decentralized IT environment requires a strong governance structure in which authority is\n  exercised from an Agency-wide perspective, \xe2\x80\x9cbuy-in\xe2\x80\x9d is obtained from key stakeholders,\n  and adequate consideration is given to the state of the organization\xe2\x80\x99s current and future IT\n  needs. However, NASA did not adequately address the shortcomings in its IT\n  governance practices prior to initiation of the ACES contract. Consequently, the Agency\n  has been trying to implement an enterprise-wide IT solution across a decentralized and\n  disparate IT environment led by a management culture largely resistant to such change.\n\n\n\n\n  1\n      NASA OIG, \xe2\x80\x9cNASA\xe2\x80\x99s Information Technology Governance\xe2\x80\x9d (IG-13-015, June 5, 2013).\n\n                                                   2\n\x0c  Contract Not Meeting Agency Goals. Poor implementation by HP on important aspects\n  of the contract and inconsistent oversight by NASA have contributed to the ACES\n  contract failing to meet Agency expectations. Overall, we found that NASA employees\n  have a negative perception of the ACES \xe2\x80\x9cbrand.\xe2\x80\x9d We believe HP\xe2\x80\x99s failure to replace or\n  \xe2\x80\x9crefresh\xe2\x80\x9d computers across the Agency at the start of the contract as promised, the\n  inability of HP and NASA to maintain a complete and accurate inventory of IT\n  equipment, and inaccuracies in billing invoices greatly contribute to this perception.\n  NASA\xe2\x80\x99s lack of a complete system for ordering IT equipment and services further\n  hinders the success of the ACES contract. Finally, top NASA IT officials expressed the\n  view that HP is performing poorly under the contract even after taking into consideration\n  the Agency\xe2\x80\x99s failure to establish sound performance metrics.\n\n  NASA is fast approaching a critical decision point when it must weigh the benefits of\n  exercising the first 3-year option period or ending the ACES contract and seeking\n  alternatives to meet the Agency\xe2\x80\x99s IT needs. Regardless of its decision, NASA must\n  ensure that its choice aligns with the Agency\xe2\x80\x99s overall enterprise architecture and can be\n  executed within the current and planned IT environment and within the expected budget.\n  We urge Agency officials to consider the issues we highlight in this memorandum when\n  determining how best to meet NASA\xe2\x80\x99s future IT needs. We provided management with\n  our draft memorandum for review and have incorporated the resulting technical\n  comments, as appropriate.\n\nBackground\n  For more than a decade, Lockheed Martin Corporation provided NASA with IT end-user\n  services under the Outsourcing Desktop Initiative for NASA (ODIN) contract. Each\n  NASA Center could tailor the ODIN contract to meet its needs using Center-specific\n  delivery orders and Centers had the flexibility to purchase varying hardware and services\n  and establish security parameters to meet Center-specific needs. Additionally, each\n  Center had its own contracting and support staff assigned to the contract.\n\n  The ACES contract is one of four contracts that make up NASA\xe2\x80\x99s Information\n  Technology Infrastructure Integration Program (I3P) and as such is part of an Agency\n  strategy to move from a Center-centric to an enterprise model of providing IT services.2\n  NASA established I3P in 2007 with the goals of enabling Agency-wide collaboration\n  through a seamless IT infrastructure; realizing efficiencies in IT infrastructure operating\n  costs; reducing the complexity of managing IT services; and improving IT security. To\n  accomplish these objectives, the I3P program sought to identify IT infrastructure services\n  common to all NASA Centers, consolidate those services into fewer contracts, and\n  manage them from a centralized service office.\n\n\n  2\n      The other three contracts that make up NASA\xe2\x80\x99s IP3 effort are: the Web Enterprises Services and\n      Technology contract, which provides an Agency-wide capability to create, maintain, and manage\n      websites; the NASA Integrated Communications Services contract, which consolidates the NASA\n      Integrated Services Network wide area and Center local area networks and services; and the Enterprise\n      Applications Service Technologies contract, supporting the NASA Enterprise Applications Competency\n      Center to deliver enterprise application services.\n\n                                                       3\n\x0cIn December 2010, NASA awarded the ACES contract to HP to provide, manage, secure,\nand maintain the bulk of NASA\xe2\x80\x99s personal computing hardware, standard software,\nmobile IT services (including smartphones), and associated end-user services. Under the\ncontract, HP provides both \xe2\x80\x9ccomputing seats\xe2\x80\x9d and base services. Computing seats\ninclude hardware (e.g., desktop computer, laptop, operating system, monitor, and docking\nstation) and services (e.g., software and system administration). Base services include\ne-mail and calendaring, user authentication, security patching, encryption, \xe2\x80\x9cloaner pool\xe2\x80\x9d\nequipment management, instant messaging services, and a \xe2\x80\x9chelp desk\xe2\x80\x9d to respond to\ncustomer questions and computer problems.\n\nNASA pays HP a fixed price for each computer seat and additional amounts for base\nservices based on the estimated number of Agency employees.3 Unlike the ODIN\ncontract under which Centers paid for their delivery orders, the ACES contract requires\nCenters to pay into a common working capital fund managed by the I3P Business Office\nlocated at the NASA Shared Services Center (NSSC).4 From contract inception through\nAugust 2013, NASA has paid HP $169 million \xe2\x80\x93 $93 million for seat services, $51\nmillion for base services, and $25 million for contract adjustments such as infrastructure\nupgrades, IT hardware, and software made via Infrastructure Upgrade Proposals (IUP)\nand catalog purchases.5\n\nIn an effort to promote high quality service and customer satisfaction, NASA established\na series of performance metrics in the contract that affect HP\xe2\x80\x99s compensation.\nSpecifically, NASA may retain up to 16 percent of the amount HP invoices monthly if\nthe company fails to meet agreed-upon metrics in areas such as customer satisfaction,\nincident reporting, adherence to schedule, and subcontracting goals.6\n\nAs part of the ACES base contract, HP planned to replace all existing ODIN equipment\nwith HP equipment within the first 6 months of contract execution. However, for a\nvariety of reasons, this did not occur and instead HP purchased the existing computer\nequipment from Lockheed Martin. Many of the significant issues and delays surrounding\nthe ACES contract relating to inventory, billing, and security are traceable to this\ndeviation from the original contract. Moreover, NASA cannot accurately measure the\ntrue cost of the ACES contract nor determine whether it has resulted in savings compared\nto the ODIN contract because the Agency is incurring additional costs beyond the base\nand seat charges that affect the total cost of IT services. For example, HP has submitted\n\n3\n    According to the ACES contract, NASA\xe2\x80\x99s N2 database, the system that contains the total estimated\n    number of civil service and contractor employees at each Center, is used to determine this figure.\n4\n    The NASA Shared Services Center is a partnership between NASA and a contractor that consolidates\n    support functions such as financial management, human resources, IT, and procurement.\n5\n    The ACES contract provides NASA with two options for ordering services and supplies: (1) Enterprise\n    Service Request System (ESRS) or (2) IUPs. Because ESRS can only be used for individual orders,\n    IUPs are used when supplies and services are needed for multiple users or for items not included in the\n    ACES contract.\n6\n    A complete list of the metrics appears on pages 10 and 11 of this memorandum.\n\n                                                      4\n\x0c  two claims demanding several million dollars for services provided in excess of contract\n  requirements and disputing amounts NASA has retained based on the company\xe2\x80\x99s failure\n  to meet performance metrics. These types of issues, along with a high level of turnover\n  and staffing shortages at both HP and NASA, have increased tensions, burdened the\n  working relationship, and diminished trust between HP and NASA.\n\n  The OIG assessed the current state of the contract against the backdrop of these\n  challenges, concerns we heard from NASA managers, and the critical decision about the\n  future of the ACES contract the Agency Chief Information Officer (CIO) will soon need\n  to make. To obtain a broad perspective, we interviewed ACES stakeholders across the\n  Agency including the Agency CIO, several Center CIOs, representatives from the End-\n  User Service Office, ACES Subject Matter Experts, HP representatives, a NASA\n  Program Support Manager, procurement representatives, ACES Contracting Officers,\n  Contracting Officer Technical Representatives, and members of the ACES Source\n  Evaluation Board.7 We also reviewed the base contract, contract modifications, and other\n  documentation relevant to the contract.\n\nNASA Not Prepared for an Enterprise Approach\n  NASA did not establish and continues to lack the necessary governance structure to\n  successfully implement an Agency-wide IT solution. NASA\xe2\x80\x99s current IT governance\n  structure is overly complex and ineffective and, in our opinion, not well positioned to\n  manage an enterprise-wide IT environment encompassing more than 50,000 federal\n  employees and contractors. The ACES contract describes NASA as a singular \xe2\x80\x9centerprise\xe2\x80\x9d\n  when from a technical and practical standpoint it is not. Functionally, NASA does not\n  operate as a single enterprise, but rather as 10 different enterprises as reflected in the\n  relatively autonomous operating nature of its Centers. With implementation of the ACES\n  contract, NASA moved from a Center-centric IT model to an enterprise model without\n  fully considering the technical challenges of such a dramatic change. As one example,\n  Center IT representatives told us that HP did not coordinate with Agency personnel to\n  adjust firewall rules to allow for the shift from Center-operated to enterprise-wide\n  deployment and management. Without this critical coordination, implementation of the\n  contract was further delayed. In addition, IT representatives noted that requests previously\n  addressed by Center-based ODIN personnel are now routed through the centralized ACES\n  end-user services office. In their view, this more cumbersome process results in delays.\n  Further, NASA IT managers failed to commit sufficient resources to execute an\n  enterprise-wide approach. Notwithstanding enthusiasm for an enterprise model among\n  some NASA IT representatives, most agreed that the funding and staffing applied to the\n  transition were not adequate to ensure a smooth transition.\n\n  7\n      The End-User Service Office (EUSO) is responsible for providing service management and oversight for\n      Agency end-user services. EUSO staff manage technical operations with oversight from the Marshall\n      Space Flight Center CIO in collaboration with the enterprise level Service Executive. NASA Centers\n      have named subject matter experts to monitor day-to-day contractor activity and be familiar with contract\n      requirements. Both EUSO staff and subject matter experts are responsible for providing input used to\n      evaluate HP\xe2\x80\x99s performance.\n\n\n\n                                                        5\n\x0cNASA\xe2\x80\x99s culture also affects its ability to implement an Agency-wide IT services model.\nAs noted in our 2013 IT Governance report, the Agency\xe2\x80\x99s history and organizational\nstructure hinders the CIO\xe2\x80\x99s ability to implement and enforce sound IT governance\ninitiatives. Moreover, the CIO has limited visibility and control over a majority of\nNASA\xe2\x80\x99s approximate $1.5 billion in annual IT investments. For example, each NASA\nCenter employs its own CIO and IT staff, and the Agency CIO has delegated to the\nCenter CIOs the responsibility, authority, and accountability for Center IT portfolios.\nGiven this structure, it is not surprising that a move to an enterprise model encountered\nresistance. Indeed, HP officials told us that after awarding the ACES contract, NASA\xe2\x80\x99s\nformer CIO tasked them with \xe2\x80\x9cselling\xe2\x80\x9d the enterprise model to Center personnel.\n\nComplicating matters further, NASA\xe2\x80\x99s decision-making process under the ACES contract\nis highly bureaucratic and disseminated throughout multiple levels of Agency\nmanagement, including the Contracting Officer, the End-User Services Office, Center\nrepresentatives, the IT Management Board, and the Agency CIO. According to HP\nrepresentatives, this has complicated nearly every aspect of the contract because of the\nlength of time it takes to obtain agreement from all parties. Additionally, HP\nrepresentatives stated that at times NASA required top Agency managers to be consulted\nand in agreement on basic decisions concerning the contract, which contributed to\ninefficiencies. Moreover, we found that decisions that should be made at the\nAgency-level are instead being made at individual Centers, sometimes with different\noutcomes. For example, decisions regarding whether each Center must provide HP\nemployees with workspace and who is responsible for scheduling technical refreshes\nhave been left at the Center-level, leading to inconsistent guidance to HP.\n\nWe also found that satisfaction with the ACES contract and HP varied widely from\nCenter to Center, with the level of satisfaction often related to the relationships formed\nbetween HP and NASA personnel at each location. This finding is similar to results of\nour 2013 IT Governance report in which we found that NASA IT representatives tend to\nrely on informal relationships rather than formalized business processes when managing\nAgency IT resources.\n\nFurther complicating implementation of an Agency-wide IT model is the lack of a fully\nmature enterprise architecture. The purpose of an enterprise architecture is to ensure that\nbusiness strategies and IT investments are aligned with and support an organization\xe2\x80\x99s\nstrategic plan. At NASA, the Enterprise Architecture Office within the OCIO is\nresponsible for articulating the Agency\xe2\x80\x99s mission supporting technologies and operational\nmodel to accomplish the Agency\xe2\x80\x99s IT goals. The Enterprise Architecture Office assesses\nthe Agency\xe2\x80\x99s current IT architecture and determines an approach to move from the\n\xe2\x80\x9cAs-Is\xe2\x80\x9d state to the \xe2\x80\x9cTo-Be\xe2\x80\x9d state. However, these plans were not in place prior to the\nimplementation of the ACES contract, leading to inconsistent deployments across the\nAgency. Several NASA IT representatives told us that going forward the Agency should\nestablish strict guidelines to identify requirements that are truly unique to the individual\nCenters. Further, several NASA IT officials suggested that the Agency needs to establish\na comprehensive IT foundation before an enterprise-based IT solution could be\n\n                                             6\n\x0csuccessful. Many of these IT officials also said that integration of all the I3P contracts,\nincluding ACES, is weak and incomplete. In fact, an August 2013 review of the I3P\nprogram by NASA officials recommended that NASA either reaffirm its commitment to\nthe program by providing adequate resources to accomplish its objective, de-scope its\nobjective to make it an executable program, or abandon the enterprise approach for\ndelivery of IT services.8\n\nSource Evaluation Board. NASA managers we spoke with expressed concerns that\nsome of the issues encountered with the ACES contract can be traced to weaknesses in\nthe Agency\xe2\x80\x99s request for proposal (RFP), the Source Evaluation Board (SEB)\nmethodology, and the staffing and process used to draft the contract.9 The\nSEB \xe2\x80\x93 composed of NASA civil servants from a variety of Centers \xe2\x80\x93 was charged with\nassisting the Source Selection Authority by providing expert analyses of the proposals\nfrom prospective contractors. Although the SEB\xe2\x80\x99s operations were based at the NSSC,\nnot all of the Board members were located there. Several SEB members worked at other\nNASA Centers and had to travel to the NSSC for weeks at a time to perform board\nfunctions. These members were not specifically dedicated to the contractor selection\nprocess and would often return to their home Center to perform their normal duties.\nSome NASA officials also questioned whether SEB members from the Centers had the\nability to view the prospective contract from an Agency-wide perspective as opposed to a\nCenter-specific viewpoint. Center representatives who were not SEB members expressed\nconcern that while they had an opportunity to review parts of the RFP and contract, the\nSEB was not staffed to handle their feedback and many issues were left unaddressed by\nthe Board. Additionally, many officials we spoke with said the RFP was not fully\nrepresentative of the state of NASA\xe2\x80\x99s IT environment and that HP did not perform\nsufficient due diligence in preparing its proposal.\n\nAt the conclusion of their SEB duties, several Board members transitioned into positions\nresponsible for administering the ACES contract. This appears to have contributed to\ndisagreement between HP and NASA personnel regarding the terms of the contract and\nfurther stressed the working relationship between the two groups. For example, HP\nofficials told us they believe the Agency is asking them to undertake tasks not required\nby the contract and therefore the company is charging NASA and submitting invoices\nwhen it performs these services. On the other hand, many NASA officials expressed the\nview that HP should be more flexible regarding contract interpretation and show a greater\ncommitment to improving customer service.\n\nLessons Learned. During our review, NASA managers, IT representatives, and\nprocurement personnel shared their experiences relating to the transition from a\nCenter-based to an enterprise-level IT approach, including several \xe2\x80\x9clessons learned\xe2\x80\x9d:\n\n\n8\n    I3P Assessment Team, \xe2\x80\x9cI3P Assessment Team: Final Report\xe2\x80\x9d (August 14, 2013).\n9\n    The SEB is a group of government civilian personnel representing functional and technical disciplines\n    charged with evaluating contractor proposals and developing summary facts and findings. The SEB\n    assists the Source Selection Authority by providing expert analyses of the proposals in relation to the\n    evaluation factors contained in the solicitation.\n\n                                                       7\n\x0c         \xef\x82\xb7   Consider as a threshold matter whether NASA\xe2\x80\x99s IT environment is sufficiently\n             homogenous and mature to implement an Agency-wide IT solution.\n         \xef\x82\xb7   Ensure adequate staffing and funding are available to support Agency-wide IT\n             initiatives.\n         \xef\x82\xb7   Establish standardized end-user IT processes across the Agency and designate the\n             appropriate decision making authorities.\n         \xef\x82\xb7   Establish guidelines to help identify requirements that are truly unique to\n             individual Centers.\n         \xef\x82\xb7   Determine the Agency\xe2\x80\x99s commitment to the overall I3P initiative.\n         \xef\x82\xb7   Include a thorough and complete representation of NASA\xe2\x80\x99s IT environment in\n             any future RFPs.\n         \xef\x82\xb7   Ensure personnel involved in the RFP process and SEB members have the skill\n             sets necessary to handle feedback and concerns of Centers and Mission\n             Directorates.\n         \xef\x82\xb7   Ensure SEB members are provided the appropriate time to perform their\n             evaluation duties.\n         \xef\x82\xb7   Review whether it is appropriate for members of the RFP team or SEB to\n             administer the resulting contract.\n         \xef\x82\xb7   Establish a single group to perform Agency-wide IT implementation to ensure\n             consistency and leverage lessons learned during implementation.\n\nContract Not Meeting Agency Goals\n  The ACES contract has faced significant challenges from the outset. Not only was the\n  enterprise-wide approach a radical change for NASA, but HP was unfamiliar with\n  NASA\xe2\x80\x99s IT environment and culture. Additionally, the OCIO had limited experience\n  developing and awarding an enterprise-wide IT contract and failed to adequately prepare\n  for the difficulties entailed in consolidating the heterogeneous, Center-specific IT\n  services previously provided under the ODIN contract into a single, Agency-wide IT\n  services program.10\n\n  Technology Refresh. In its proposal, HP promised to replace all existing ODIN laptop\n  and desktop computers with new HP equipment \xe2\x80\x93 known as a technology refresh \xe2\x80\x93 within\n  6 months of contract award, and this provision was incorporated into the ACES contract.\n  However, HP was unable to deliver on this promise. According to Agency IT officials,\n  this occurred because HP did not have a good understanding of NASA\xe2\x80\x99s IT environment\n  and did not perform sufficient due diligence to identify the issues the company would\n  face during contract implementation. On the other hand, HP representatives attributed\n\n  10\n       Upon award of the contract to HP in December 2010, Lockheed Martin Corporation, the incumbent\n       contractor, filed a protest claiming that NASA\xe2\x80\x99s evaluation of proposals and its selection process was\n       unreasonable. The Government Accountability Office denied Lockheed Martin\xe2\x80\x99s claim in April 2011,\n       but the protest delayed the start of the ACES contract for 4 months.\n\n                                                         8\n\x0cthe delay in refreshing equipment to inefficient decision making by the OCIO on\nhardware specifications for new computers and NASA\xe2\x80\x99s inability to develop a\nfunctioning ordering system for new IT equipment.11 Whatever the exact causes, HP\xe2\x80\x99s\nplan changed from a complete refresh of all NASA computers within the first 6 months to\na phased replacement approach that will not be complete until April 2014.\n\nThis early failure significantly affected the success and acceptance of the ACES contract.\nAccording to the original contract, \xe2\x80\x9cthe successful phase-in of ACES seats would\nestablish the foundation for IT services management and the achievement of ACES goals\nand objectives as well as setting the tone for end-user service delivery throughout the\nAgency.\xe2\x80\x9d The contract further stated that HP would execute a seamless phase-in of\nproducts and services from ODIN to ACES and provide users with an immediate\ntechnology refresh of computing services capabilities. According to HP, the refresh was\nthe foundation for achieving NASA\xe2\x80\x99s goals for ACES and underpinned HP\xe2\x80\x99s strategy to\nsave NASA more than 40 percent compared to the previous contractor, establish a single\nstable IT security environment, and enable the introduction of new technology early in its\ntenure as NASA\xe2\x80\x99s new contractor for end-user services.\n\nOnce HP realized it could not accomplish the full technology refresh in the timeframe it\nhad promised, it purchased the computers, laptops, and other IT assets from Lockheed\nMartin for approximately $27 million. However, a complete and accurate inventory of\nODIN assets was not available, and consequently HP had little assurance of exactly what\nequipment it had purchased. In addition, purchasing ODIN equipment left many NASA\nemployees and contractors with computers not equipped with features specified in the\nACES contract. For example, the ACES contract required the refreshed computers be\nequipped with encryption software that most legacy equipment lacked. The subsequent\ntheft of a laptop computer from a NASA employee containing sensitive information in\nOctober 2012 prompted NASA IT officials to devote significant time and money to\nexpediting the deployment of encryption software on Agency computers. In the end,\nNASA paid HP an additional $220,538 to undertake the hurried encryption effort \xe2\x80\x93 a task\nand expense that would have been unnecessary had HP met its original requirement to\nrefresh all of the ODIN equipment with new, encrypted machines within the first\n6 months of the contract. More than 2 years into the ACES contract, HP has yet to\ncomplete a total hardware refresh; specifically, more than 9,000 of approximately 44,000\ncomputers have yet to be refreshed as of September 2013.\n\nContract Modification 48. NASA uses performance metrics to assess HP\xe2\x80\x99s progress in\nmeeting contract objectives and goals. Early in the implementation of the ACES\ncontract, NASA deemed HP \xe2\x80\x9cfailing\xe2\x80\x9d in the areas of service delivery and incident\nmanagement and characterized customer satisfaction as inconsistent. According to the\n\n\n11\n     Once it became clear that HP would be unable to meet its contractual requirement to deliver a complete\n     refresh in 6 months, the former Agency CIO needed to decide whether to continue working with HP or\n     recommend terminating the ACES contract. According to several Agency IT officials, NASA decided\n     against termination because the Agency had neither the funding nor the desire to extend the ODIN\n     contract and the former NASA CIO was confident that HP could deliver on its other contract\n     requirements.\n\n                                                       9\n\x0cI3P Program Manager at the time, all HP\xe2\x80\x99s metrics were indicating failure because HP\nwas not providing the products and services specified in the contract. In response to\nthese issues, in April 2012, NASA and HP signed contract modification 48, which\nfundamentally changed many of the requirements of the original contract, including the\nphase-in-plan, deployment schedule, and performance metrics. In addition, HP agreed to\nprovide NASA monthly credits or discounts to its base services and seat service charges\nup to $15 million. We summarize the major contract changes resulting from\nmodification 48 below:\n\n   \xef\x82\xb7   Performance Metrics and Retainage Pools. Changed the performance metric\n       categories and the calculation approach and added a retainage pool schedule, or\n       the amount NASA may withhold from HP based on failure to meet performance\n       metrics. NASA increased the amount it can withhold from 12 to 19 percent in\n       order to incentivize HP to improve service delivery.\n   \xef\x82\xb7   Phase-In Plan. Adjusted the transition approach to include HP\xe2\x80\x99s purchase of\n       existing ODIN assets and support of those assets until HP refreshes the seats. The\n       updated phase-in plan describes HP\xe2\x80\x99s plan to deploy new ACES equipment and\n       its approach for completing the ACES transition.\n   \xef\x82\xb7   Management Plan. Revised HP\xe2\x80\x99s Management Plan and replaced several key\n       members of the ACES management team.\n\nPerformance Metrics. NASA assesses HP\xe2\x80\x99s performance via service level agreements\nthat outline the level, scope, and quality of a service; the way in which NASA measures\nthe service; and the penalty for inadequate performance (retainage). Service level\nagreement categories include such areas as service delivery, customer satisfaction,\nincident management, and adherence to the equipment refresh schedule. Throughout the\nfirst 2 years of the contract, NASA has struggled to develop sound performance measures\nto evaluate HP\xe2\x80\x99s performance. As noted previously, NASA changed the original metrics\nin April 2012 with contract modification 48 after HP failed to complete the refresh in the\npromised 6 months. A second revision to this criteria occurred in October 2013 when\nNASA agreed to make changes to the performance metrics in response to a claim by HP\nrelated to performance calculations and retainage amounts. In January 2014, NASA\nrewrote the performance metrics for a third time.\n\nSince contract inception, NASA has retained approximately $6.9 million from HP for\ninadequate performance related to the contract service level agreements. HP\xe2\x80\x99s\nperformance is measured using four retainage pools and their associated service level\nagreements:\n\n   \xef\x82\xb7   Metrics Retainage Pool is calculated monthly and is comprised of 8 percent of the\n       total monthly costs allocated between seven areas: (1) Service Delivery, (2)\n       Service Availability Non-Base Services, (3) Service Availability Base Services,\n       (4) Customer Satisfaction, (5) Security Management Services, (6) Incident\n       Management, and (7) Service Asset Management Effectiveness.\n\n\n\n                                           10\n\x0c   \xef\x82\xb7   Performance Retainage Pool is assessed quarterly and is comprised of a retainage\n       at risk amount of 2 percent per month or 6 percent for each quarterly review\n       period.\n   \xef\x82\xb7   Schedule Retainage Pool is calculated monthly and is comprised of 5 percent of\n       the total monthly costs allocated between two areas: (1) Legacy Refresh Schedule\n       Adherence and (2) Contract Compliance Schedule. Review and evaluation of\n       these metrics will continue through the end of the initial ACES computer seat\n       deployment or completion of the ACES technical services, whichever is later.\n   \xef\x82\xb7   Small Business Utilization Pool is comprised of 1 percent of the contractor\xe2\x80\x99s net\n       monthly invoice and is evaluated against originally proposed Contractor\n       Subcontracting Plan goals.\n\nHP is required to submit monthly reports to NASA identifying its performance against\nthe established metrics. NASA uses these reports along with the personal observations\nand assessments of NASA staff to evaluate HP\xe2\x80\x99s performance. Several Agency IT\nrepresentatives expressed concern that NASA is placing too much reliance on HP\xe2\x80\x99s data\nto measure the company\xe2\x80\x99s performance. Further, many Agency IT representatives told us\nthat even though HP is generally meeting most performance metrics, a significant number\nof users remain unsatisfied, leading the representatives to question whether NASA is\nincentivizing the right behavior. While NASA intended to design the contract\xe2\x80\x99s\nperformance metrics and retainage pools to promote excellent service delivery and\ncustomer satisfaction, Agency officials did not accurately foresee the resources necessary\nto monitor and evaluate contractor performance in a process many IT representatives\ndescribe as overly burdensome.\n\nACES Product Catalog. The ACES contract requires HP to provide a web-based\ncatalog of commercial IT products not included as part of base services. Using this\ncatalog, employees can place orders, check order status, resolve disputed orders, schedule\ndelivery and installation, and return equipment. The contract states that HP shall offer\nhardware and software prices at a 30 percent discount below the manufacturer\xe2\x80\x99s\nsuggested retail price. However, we found that the product catalog is limited and\nequipment and software is often unavailable. According to NASA managers, HP\xe2\x80\x99s\nshrinking profit margins are driving product availability and HP has removed items from\nthe catalog. According to the contract, NASA can direct HP to add or remove catalog\nitems. However, for approximately 4 months in 2013, HP removed all software from the\ncatalog without Agency permission, which led users to make IT purchases elsewhere.\nSeveral IT managers told us that users at their Centers are placing orders using alternate\nprocurement vehicles and as a result NASA is not realizing the efficiencies and cost\nsavings initially envisioned with the ACES contract.\n\nLack of a Complete Ordering System. NASA does not have a fully functional system\nto order ACES-provided equipment and services. The ACES contract states that NASA\nwill place all orders through either the Enterprise Service Request System (ESRS) or the\n\n\n\n\n                                           11\n\x0cInfrastructure Upgrade Ordering Process.12 NASA planned for the ESRS to provide\nusers with a single automated tool to place orders for end-user services and catalog\npurchases. However, NASA included a statement in the \xe2\x80\x9cOrdering of Services and\nSupplies\xe2\x80\x9d section of the contract noting that ESRS was still under development:\n\n           Note to Offerors: The ESRS is being developed concurrently by the NASA Shared\n           Services Center (NSSC) and Computer Sciences Corporation (CSC) under contract\n           NNX05AA01C. As development of the ESRS matures, this clause will be revised to\n           provide more comprehensive information on the system.\n\nNearly 2 years later, NASA still has not developed a complete and fully functional\nordering system. While NASA uses ESRS to place single orders, the system cannot\nprocess bulk orders and no automated integration exists between NASA\xe2\x80\x99s ordering\nsystem and HP\xe2\x80\x99s order fulfillment and asset tracking system. Consequently, the Agency\nsubmits bulk orders using spreadsheets, which HP personnel manually enter into their\nservices and asset management systems.\n\nThe absence of a fully functional ordering system has affected HP\xe2\x80\x99s ability to deliver\nequipment and services. For example, the contract states that HP will refresh mobile\ndevices such as smartphones every 18 months. However, because the ordering system\nhas no mechanism for NASA managers to approve employee mobile device purchases or\nupgrades, these devices are not being replaced on schedule. As a workaround, NASA\nand HP have agreed to upgrades that do not involve additional service charges and are\nstrictly technology upgrades for the same service ordered, such as upgrading from an\niPhone 4 to an iPhone 5. Further, HP proposed adding an additional fee of $104 per\ntechnical refresh to cover the cost of manually processing bulk orders. NASA has\nrejected this fee proposal and, according to OCIO officials, is focusing on resolving\nissues jointly with HP.\n\nIn addition to the incomplete ESRS ordering system, the Computer Sciences Corporation\n(CSC) is also responsible for developing the Configuration Management Database to be\nused to identify, maintain, track, and report on all ACES-managed equipment. However,\nlike the ESRS, the database is not fully functional. The requirements for developing both\nsystems were added to an existing service delivery contract between CSC and the NSSC.\nHowever, because CSC receives its direction from the NSSC Board of Directors rather\nthan the OCIO, the OCIO has limited authority over CSC and does not direct its\nactivities.13 Some NASA IT managers believe that the ordering and tracking systems are\nnot complete because of competing priorities and a struggle for funding and resources\nbetween the NSSC and the OCIO. Assigning the design and development of both the\nordering system and asset control systems to a service delivery contract outside the\ncontrol of the OCIO has not worked well, and to date neither system is complete or\nfunctioning as intended.\n\n\n\n12\n     ESRS is an integrated management tool designed to be used by all I3P Contractors to coordinate and\n     fulfill service requests.\n13\n     CSC is an NSSC support contractor.\n\n                                                     12\n\x0cIncomplete Inventory and Inaccurate Invoices. NASA does not have an accurate\ndatabase to track the services and associated equipment ordered through the ACES\ncontract. According to the contract, HP is required to maintain configuration control for\nthe ACES-managed/provided IT environment and update NASA\xe2\x80\x99s tracking database with\ncurrent information after receiving, installing, refreshing, excessing, or moving items.\nWhile the database was designed to be NASA\xe2\x80\x99s authoritative record for validating ACES\nservices and invoices, NASA managers said the ordering system and database are not\nintegrated and the information in the database is not accurate, two factors that\nsignificantly hinder NASA\xe2\x80\x99s ability to validate ACES services and invoices. Currently, a\ncumbersome multi-step process is used to populate the database with IT asset\ninformation. Specifically, HP extracts the information from its asset tracking system into\na spreadsheet that NASA personnel load into the database. Agency officials informed us\nthat this manual process is error prone and time consuming. Further complicating\nNASA\xe2\x80\x99s ability to maintain an accurate inventory is the presence of unreliable\ninformation in the database regarding legacy ODIN equipment. When HP purchased the\nODIN assets, the inventory was outdated and incomplete. However, this admittedly\ninaccurate data was relied upon to determine the refresh schedule and to produce invoices\nfor NASA. Although NASA and HP are currently working to correct the data, this task\nwill require substantial resources and tremendous effort.\n\nWhile an interface with the vendor is necessary to gather asset information for deployed\nseats, we question why NASA does not maintain its own inventory of assets in order to\nverify the accuracy of the invoices it receives from HP. During our review, we identified\nseveral reoccurring issues with ACES invoices, including: (1) IT equipment or mobile\ndevices assigned to the wrong employee, the wrong Center, or both; (2) invoices with\nincorrect installation dates; and (3) invoice errors being corrected one month but\nreappearing the next. We also noted that NASA Centers and Programs are expending a\ngreat deal of internal and contractor resources to verify monthly invoices.\n\nWithout an accurate inventory, NASA cannot be sure it is paying the correct amount for\neach ACES seat. To determine the amount of money potentially at risk, we averaged the\ncost of the standard computer seat or \xe2\x80\x9cS\xe2\x80\x9d available to all NASA employees for a\nWindows and Apple desktop and laptop during the first 3 years of the contract. Because\nthe cost per seat can vary, we used the lowest cost for each device in our calculations.\nWe then determined the average price NASA will pay for the computer seat based on an\nexpected 3-year useful life of the equipment. We calculated that NASA pays between\n$2,300-4,000 to order an \xe2\x80\x9cS\xe2\x80\x9d seat from HPES for 3 years. Even with the substantial\nresources devoted each month to reconciling HP invoices, almost 2 years into the contract\nNASA has little assurance the amount it pays HP is correct.\n\n\n\n\n                                           13\n\x0c                                       Table 1. ACES Cost Per Seat\n                                                              Average Cost Per              Average 3 Year\n     Equipment                                                Device Per Month                Service Cost\n     Microsoft Desktop                                                   $65.11                  $2,343.96\n     Microsoft Laptop                                                     78.93                   2,841.48\n     Apple Desktop                                                       101.42                   3,651.12\n     Apple Laptop                                                        111.36                   4,008.96\nSource: OIG analysis of ACES contract data.\n\nThe cost-per-seat listed in Table 1 is for the standard computing seat. However, the\ncontract provides that HP will also provide three other types of seats : the \xe2\x80\x9cM\xe2\x80\x9d seat with\npre-defined services and services that can be modified by the end-user; the \xe2\x80\x9cB\xe2\x80\x9d seat for\nwhich services are \xe2\x80\x9cbuilt\xe2\x80\x9d to specific end-user requirements and service options; and the\n\xe2\x80\x9cT\xe2\x80\x9d seat for which services are rendered through a thin client appliance with predefined\nservices and service options.14 According to NASA IT officials, \xe2\x80\x9cB\xe2\x80\x9d seats are currently\nvery limited and HP has yet to deliver any \xe2\x80\x9cT\xe2\x80\x9d seats.\n\nSecurity and Patch Management. In addition to billing issues, the lack of an accurate\nand complete inventory poses a significant risk to NASA\xe2\x80\x99s IT security. According to the\nSANS Institute, a leading research and education organization of IT security\nprofessionals, the top security control for effective cyber defense is an \xe2\x80\x9cinventory of\nauthorized and unauthorized devices.\xe2\x80\x9d In other words, to secure its network an\norganization must know what equipment is connected to that network. Accordingly, the\nlack of a complete and accurate inventory poses an ongoing security challenge for\nNASA.\n\nIn addition, NASA\xe2\x80\x99s Security Operations Center \xe2\x80\x93 the entity that provides centralized,\ncontinuous monitoring of the Agency\xe2\x80\x99s computer network traffic as well as the\ncoordination, tracking, and reporting of security incidents \xe2\x80\x93 reported in September 2013\nthat ACES failed to deploy multiple updates, such as security patches, in a timely\nmanner, with some updates several months overdue. Patch management is the practice of\ninstalling software designed to fix problems or update a computer program and its\nsupporting data. Because these patches are critical to proactively prevent the exploitation\nof vulnerabilities on IT devices and ensure the security of NASA\xe2\x80\x99s networks, it is crucial\nthey be timely installed. However, NASA IT officials told us that patch management of\nACES computers needed improvement. Many cited the requirement of end-user\ninteraction and the delay in installing patches as two of the more crucial IT security\nissues. Because patches are only installed on machines during business hours, many\nusers do not interrupt their workflow to install the necessary patch, leaving their\ncomputers susceptible to vulnerabilities. To address this issue, HP recently adjusted the\npatch schedule to occur at night. However, because computers must be powered on and\nconnected to the NASA network to receive the patches, user interaction is still required.\n\n14\n     \xe2\x80\x9cService Option\xe2\x80\x9d is the characteristics and metrics that define a particular type of support to be provided\n     by the contractor. A thin client appliance refers to either a software program or an actual computer that\n     relies heavily on another computer to do most of its work.\n\n                                                        14\n\x0cData Management. We are concerned that NASA data stored on ACES computers may\nnot be adequately safeguarded at the end of the machines\xe2\x80\x99 useful lives. NASA does not\nown the ACES equipment and returns it to HP when no longer needed. As part of this\nprocess, the contract requires HP to provide \xe2\x80\x9cWipe and Load\xe2\x80\x9d services for ACES seats.\nWiping is the act of erasing all information on computer hard drives and bringing the seat\nback to the current, fully functional baseline configuration. HP relies on one\nsubcontractor to collect devices and another to wipe the hard drives. According to the\nACES Subject Matter Experts we spoke with, there is little accountability and weak\ninternal controls when the computers are collected for Wipe and Load services. For\nexample, many users do not receive a receipt for removed equipment and the equipment\noften continues to appear as \xe2\x80\x9cactive\xe2\x80\x9d in the ACES inventory. Once the computers are\ncollected, the subcontractor loads them into vehicles (sometimes the personal vehicles of\nsubcontractor staff) and the computers leave NASA control to travel to another\nsubcontractor for hard drive wiping. In many cases, this equipment \xe2\x80\x93 potentially\ncontaining large amounts of NASA data \xe2\x80\x93 travels hundreds of miles from the NASA\nCenter to the subcontractor\xe2\x80\x99s location before the hard drives are sanitized.\n\nStaffing. Both NASA and HP have experienced extensive turnover of key IT,\nprocurement, and other staff involved in the daily administration of the ACES contract.\nMoreover, NASA relies on a single contracting officer at the NSSC to administer the\nACES contract and accomplish the tasks multiple contracting officers performed for the\nODIN contract. During the first 2 years of the ACES contract, the project has had four\ncontracting officers and five contracting officer technical representatives.15 Several\npeople involved in administering the ACES contract raised concerns that the contracting\nofficer is located at the NSSC while the contracting officer technical representative works\nout of the End-User Service Office at the Marshall Space Flight Center. NASA has also\nexperienced turnover in the ACES End-User Services Office and among Center IT\npersonnel dedicated to implementing the contract. On the HP side, company officials\nacknowledge they did not appropriately staff the transition from ODIN to ACES and that\nthey have experienced high staff turnover at the Centers.\n\nA September 2013 study by the OCIO found that lack of skills and limited knowledge of\nHP Center technicians was leading to inefficient processes, a lack of confidence by\ncustomers, and an increase in customer dissatisfaction. Additionally, an HP\nrepresentative told us that subcontractors at NASA Headquarters walked off the job over\na dispute regarding how they were paid for installing new equipment. Specifically, they\nwere being paid based on the number of computers installed \xe2\x80\x93 installations they could not\ncomplete if NASA users turned them away. HP representatives estimated that at the time\nemployees were denying approximately 40 percent of planned refreshes at Goddard\nSpace Flight Center. NASA IT managers said some of the users refused equipment either\nbecause they did not order it or because it was wrong equipment. To address this issue,\nNASA and HP are instituting a $100 per seat charge to the party at fault for any\ninstallation missed four or more times. We are concerned that these staffing issues affect\nthe quality and consistency of service delivery.\n\n15\n     A contracting officer\xe2\x80\x99s technical representative assists in the technical monitoring and administration of a\n     contract.\n\n                                                        15\n\x0cWe are also concerned about the safety of NASA-leased equipment and information if\nsubcontractors with access to this property have not completed proper background\nchecks. Specifically, we identified several HP subcontractors working at NASA Centers\nwho had criminal histories related to theft and child pornography \xe2\x80\x93 issues that should\nhave been flagged with appropriate background screenings.\n\nCost Savings. NASA estimates that had the ACES contract been implemented as\nplanned, the Agency would have saved approximately $31 million a year compared to the\nODIN contract. However, because of the many modifications to the contract and the lack\nof a complete ACES inventory, NASA cannot accurately measure the true cost of the\nACES contract or determine whether it has resulted in any savings to the Agency. In\naddition to the indirect cost related to validating ACES invoices, staff turnover, and the\ncivil service resources devoted to the contract activities, NASA is incurring additional\ncosts beyond the base and seat charges that may affect the total cost of the contract. For\nexample, among the claims submitted by HP for additional payments from NASA are\ncharges for $12.9 million in June 2013 for services the company believes it provided in\nexcess of contract requirements and $5.4 million in July 2013 disputing performance\ncalculations and subsequent payment retainage. NASA settled the latter claim in the fall\nof 2013. Furthermore, as previously mentioned NASA paid HP an additional $220,000\nbetween July 2012 and March 2013 to expedite encryption on laptops computers.\n\nNASA continues to modify the contract to address gaps and request additional services\nthat result in additional charges. Of the 200-plus contract modifications, 128 were for\nIUPs. NASA uses IUPs to request a variety of services such as a dedicated ACES\ntechnician for a specific NASA program or a Center paying for an early technical refresh.\nAs of November 2013, NASA has negotiated $31.6 million in IUPs with HP. In the 2\nyears since its inception, NASA has made over 200 contract modifications to the ACES\ncontract. In our opinion, the high number of modifications in such a relatively short\nperiod indicates that the contract was not specific enough to meet the needs of NASA\xe2\x80\x99s\ndecentralized IT environment and that the services provided to date are not meeting\nNASA\xe2\x80\x99s expectations.\n\nLessons Learned. During our review, ACES stakeholders, including HP representatives\nand NASA IT and procurement officials, shared with us the issues, risks, and lessons\nlearned they have encountered during development and implementation of the ACES\ncontract, including:\n\n   \xef\x82\xb7   Ensure Agency requirements are clearly defined in a complete, concise, and\n       realistic contract.\n   \xef\x82\xb7   Consider mechanisms or options available to the Agency to enforce contract\n       requirements that are not met.\n   \xef\x82\xb7   Review performance metrics to ensure they promote the intended outcome and\n       ensure that NASA has a viable means to measure the contractor\xe2\x80\x99s performance,\n       including allocating sufficient staff with adequate time to spend on the project.\n\n\n\n                                           16\n\x0c        \xef\x82\xb7   Address the barriers hindering development of a fully functional ordering system\n            or explore alternative solutions.\n        \xef\x82\xb7   Establish an inventory of services and assets in order to verify the accuracy of\n            invoices and ensure proper security and patching of devices.\n        \xef\x82\xb7   Consider reviewing current data management practices.\n        \xef\x82\xb7   Ensure identification of the proper resources, such as staffing, technical skills, and\n            management to execute contract requirements.\n\nManagement Action\n  NASA is fast approaching a crossroads related to the ACES contract and soon must\n  decide whether to execute the first 3-year option period or begin a lengthy and\n  labor-intensive effort to identify alternates to obtain its critical IT services. Prior to\n  making this decision, we encourage NASA to consider the information contained in this\n  memorandum in addition to its own reviews, feedback from customers and stakeholders,\n  and estimates of its projected future funding levels.\n\n\n\n\n  cc:       David Radzanowski\n            Chief of Staff, Office of the Administrator\n\n            Bill McNally\n            Assistant Administrator for Procurement\n\n\n\n\n                                                 17\n\x0c'